Register for your free account! | Forgot your password?

Go Back   elitepvpers > MMORPGs > Perfect World
You last visited: Today at 01:22

  • Please register to post and access all features, it's quick, easy and FREE!


[ask] Making an Autopot in general

Reply
 
Old   #1
 
elite*gold: 0
Join Date: Oct 2008
Posts: 1,242
Received Thanks: 669
[ask] Making an Autopot in general

Sorry for making a thread for other game here, but since I only know people from this section, please let me ask about it here, it could be useful too for starters

I'm trying to make an autopot for Ran Online, maybe some of you also play it and have any resources for it to begin with, please share . I used MHS coz CheatEngine is detected by the gameguard, is there any tool for changing its md5 file identity and wintitle like MHS ?

So far I can only find hp/maxhp address, but I dunno how to read it using autoit which I'm gonna use for making the autopot. Does every game have a base address and offsets to point a location in memory so an autopot can be made ?

I'll post screenshots later for further questions after maintenance is done, please help if anyone visits this thread

thanks in advance.

if I have this memread, it says 'int' in there, is it integer ? the hp value uses 'short' type which has different value from integer type, do I have to change it or what ?
Code:
Func memread($adress, $type = 'dword')
	Local $struct = DllStructCreate($type)
	DllCall($kernel32, 'int', 'ReadProcessMemory', 'int', $mid, 'int', $adress, 'ptr', DllStructGetPtr($struct), 'int', DllStructGetSize($struct), 'int', '')
	Return DllStructGetData($struct, 1)
EndFunc
-----edit------



This is what it looks like, I searched HP value in short type and got 3 addresses, then I tried to search the pointer of that address range and got 15 results, most tutorial I found on google showed me that step should give me one or fewer result and could be used to determine the pointer, but this gave me 15 results which is confusing.



if I choose [Find out what writes to this address] , which in PW gives HP offset directly, it crashes for this game (must be the game guard), but it gave me something with the assembler thing, is there anything useful in there ?



Smurfin is offline  
Old 03/30/2012, 17:34   #2
 
elite*gold: 20
Join Date: May 2009
Posts: 1,290
Received Thanks: 323
I don't know that game, but I do know this :

Either you have static addresses, or you have structures and thus base address and offsets.

Short is a signed 2 byte datatype.

Also, you can protect CE from GG's eyes by changing name of kernel driver and making it undetected (there are loads of guides on internet on how to, a bit of Delphi knowladge is recommended though).

Maybe if Fyyre is lurking around here, she could give you a hand with GG, she is an epic master in this type of stuff.

Cheers


Sᴡoosh is offline  
Thanks
1 User
Old 03/31/2012, 10:09   #3
 
elite*gold: 0
Join Date: Oct 2008
Posts: 1,242
Received Thanks: 669
thanks for the brief explanation, I guess it's structured so it should have base add and offsets, too bad it's GG'ed so can't experiment much on it with my limited knowledge

if anyone recognize the game and have any info on it or can give a short step by step base address/pointer searching in general for making a simple tool like autopot, please post it here
Smurfin is offline  
Old 03/31/2012, 16:51   #4
 
elite*gold: 10
Join Date: Sep 2010
Posts: 399
Received Thanks: 233
Quote:
Originally Posted by Smurfin View Post
if I have this memread, it says 'int' in there, is it integer ? the hp value uses 'short' type which has different value from integer type, do I have to change it or what ?
Code:
Func memread($adress, $type = 'dword')
    Local $struct = DllStructCreate($type)
    DllCall($kernel32, 'int', 'ReadProcessMemory', 'int', $mid, 'int', $adress, 'ptr', DllStructGetPtr($struct), 'int', DllStructGetSize($struct), 'int', '')
    Return DllStructGetData($struct, 1)
EndFunc
Nope, don't change any of the 'int's as they are required for the ReadProcessMemory API call. If you want to read a 16 bit value, call your memread() function using either 'short' for a signed short or 'USHORT' for an unsigned short integer as the second argument. It's the DllStructCreate API call that needs this.


Example:
Code:
memread($someAddress, 'USHORT')
Edit: Just noticed Swoosh has 666 posts


dumbfck is offline  
Thanks
1 User
Old 03/31/2012, 16:58   #5
 
elite*gold: 20
Join Date: May 2009
Posts: 1,290
Received Thanks: 323
Quote:
Originally Posted by dumbfck View Post
Edit: Just noticed Swoosh has 666 posts
And you stole 10 gold from somewhere



(667!!)
Sᴡoosh is offline  
Old 03/31/2012, 17:09   #6
 
elite*gold: 10
Join Date: Sep 2010
Posts: 399
Received Thanks: 233
Haha it was kindly donated to me ^_^
No ****** idea what it's for or what to do with it though
Can't be arsed to look it up
dumbfck is offline  
Old 04/01/2012, 05:58   #7
 
elite*gold: 0
Join Date: Oct 2008
Posts: 1,242
Received Thanks: 669
I'm curious about that elite gold too, anything with gold interests everyone lol

btw, got cheatengine working after hex editing everything in the exe that says 'cheat' and replaced it with 'abcde' , and the debugger crashing wasn't really caused by the publisher's game guarding software, it's the client itself that can detect if a debugger was attached to it. DBVM debugger from CE is really awesome, the [find what writes to this address] is working now though my computer froze after a few minutes the last time I tried it.
Smurfin is offline  
Old 04/01/2012, 10:13   #8
 
elite*gold: 0
Join Date: Mar 2010
Posts: 862
Received Thanks: 569
Quote:
Originally Posted by Smurfin View Post
I'm curious about that elite gold too, anything with gold interests everyone lol

btw, got cheatengine working after hex editing everything in the exe that says 'cheat' and replaced it with 'abcde' , and the debugger crashing wasn't really caused by the publisher's game guarding software, it's the client itself that can detect if a debugger was attached to it. DBVM debugger from CE is really awesome, the [find what writes to this address] is working now though my computer froze after a few minutes the last time I tried it.
Awesome

CE is a lot more convenient than MHS with these things lol.
Interest07 is offline  
Old 04/01/2012, 11:17   #9
 
elite*gold: 20
Join Date: May 2009
Posts: 1,290
Received Thanks: 323
Quote:
Originally Posted by Smurfin View Post
I'm curious about that elite gold too, anything with gold interests everyone lol

btw, got cheatengine working after hex editing everything in the exe that says 'cheat' and replaced it with 'abcde' , and the debugger crashing wasn't really caused by the publisher's game guarding software, it's the client itself that can detect if a debugger was attached to it. DBVM debugger from CE is really awesome, the [find what writes to this address] is working now though my computer froze after a few minutes the last time I tried it.
Are you sure it was GG in the first place? I know for a fact that GG cannot be defeated by simply editing strings, which are by the way encrypted in GG and not viewable with hex editor. It will simply re-download once MD5/SHA check is not passed. They probably detoured some function , used IsDebuggerPresent (lol) , some int3 tricks or other things you can do to make debugging a pain.
Sᴡoosh is offline  
Old 04/01/2012, 14:50   #10
 
elite*gold: 0
Join Date: Oct 2008
Posts: 1,242
Received Thanks: 669
Quote:
Originally Posted by Interest07 View Post
Awesome

CE is a lot more convenient than MHS with these things lol.
Yea and with both it's more convenient for us to use , MHS has many tools in the menu. Without the data type converters built in MHS, I wouldn't know that I had to search the value in short type for this game, using unknown value took a lot of time. It's useful for beginners

Quote:
Originally Posted by Sᴡoosh View Post
Are you sure it was GG in the first place? I know for a fact that GG cannot be defeated by simply editing strings, which are by the way encrypted in GG and not viewable with hex editor. It will simply re-download once MD5/SHA check is not passed. They probably detoured some function , used IsDebuggerPresent (lol) , some int3 tricks or other things you can do to make debugging a pain.
I think it's not GameGuard™ but more like a proprietary game guarding software by the publisher/developer, coz there is a game.exe shared by local Indonesian hacking forum that can be run directly without using launcher.exe so it bypasses the 'game guard' but the game still crashed everytime I clicked [find out what writes to this address], mhs debugger/CE's veh debugger/CE's windows debugger all failed, only CE's kernelmode debugger worked but not for long, it gave me a BSOD last time I tried, haven't got the time to try again, it's really painful for noob ><, have to learn how to find a base address for a game first and react quickly before BSOD happened.

a specialized game protection software like GG or HackShield is really powerful (only when it's running ), I once played an fps game called PointBlank that used HackShield, when I tried to dual login even from another windows account, it could even still detect that the game was already running in my PC, I was like "damn, seriously?" at that time and played normally , but a bypass for it was already around now.
Smurfin is offline  
Old 04/01/2012, 16:18   #11
 
elite*gold: 20
Join Date: May 2009
Posts: 1,290
Received Thanks: 323
Quote:
Originally Posted by Smurfin View Post
...I once played an fps game called PointBlank that used HackShield, when I tried to dual login even from another windows account, it could even still detect that the game was already running in my PC, I was like "****, seriously?"....
That's cause of the heartbeat packets gameguard sends to server to indicate it is still running - one of the steps to counter this would be to strip the exe and write heartbeat emulator. But since this isn't gameguard, it may be simpler. Since you already have access to a stripped version, you should have it fairly easy . What are the differences? Open both in IDA/Olly or whatever and compare

Cheers
Sᴡoosh is offline  
Old 04/02/2012, 00:03   #12
 
elite*gold: 0
Join Date: Oct 2008
Posts: 1,242
Received Thanks: 669
I have thought about that but the exe file is packed and has 4 megabytes difference in size from the original.

I won't play multiple chars on this game though, keeping a lot of chars is time consuming, I only need autopotting for this game. I'll try to follow a youtube tutorial later first because it looks like the pointer is multileveled and not an easy task to find like PW which by clicking [find what writes to this address] shows us the offset directly.

I'll put screenshots later, plz give a hint on figuring out the pointers/base add.
Smurfin is offline  
Old 04/02/2012, 10:52   #13
 
elite*gold: 20
Join Date: May 2009
Posts: 1,290
Received Thanks: 323
You can try tracing the pointer manually. Try setting breakpoints in CE debugger. If it still crashes, change the breakpoint method in settings. If you can set breakpoints, try to read register contents, then search for the addresses in the registers. Rinse and repeat, it's not that hard once you got it figured out.

For example :

mov eax, [edx+100]

Set bp on this and check what edx register's value is. Now search manually for that. If you have a result, continue.

Cheers
Sᴡoosh is offline  
Thanks
1 User
Old 04/02/2012, 12:23   #14
 
elite*gold: 0
Join Date: Oct 2008
Posts: 1,242
Received Thanks: 669
ok thanks for the tips, I'll experiment with it
---edit---


when I clicked [find out what writes to this address], CE gave me this: mov [ecx],ax, before my computer froze and had BSOD bcoz I was using dbvm+kerneldebugger (I guess it's not stable in my pc or just a bug), anyway..what is ax ? it's not listed in the registers

here is the ss

I also tried with MHS without using debugger and search pointers manually bcoz this game doesn't like debugger of any kind attached to it, but it's like the pointer never ends , I could put the address along with multi offsets and it could still point to the correct hp address (tried both in CE and MHS), but it never static

if anyone has the time to look into it, pls advise.
Smurfin is offline  
Old 04/03/2012, 09:48   #15
 
elite*gold: 10
Join Date: Sep 2010
Posts: 399
Received Thanks: 233
AX is the lower 16 bits (2 bytes) of the EAX register. Conversely, AH is the upper 16 bits of the EAX register.
The other registers can also be accessed in this way, typically for short integer operations. They are similarly named; BX, CX, DX (lower 16 bits of EBX, ECX and EDX registers respectively).

If you don't already have them, it might be worth downloading these for reference:



dumbfck is offline  
Thanks
1 User
Reply



« LAST CHANCE TO BUY 105 R9 BM.. Only asking $400 or less! | VK Jade Dynasty Skysong Account »

Similar Threads
Sw2 autopot
12/27/2010 - SRO PServer Ask the Experts - 1 Replies
Is there any working autopot? :confused:
AutoPot
01/28/2010 - Metin2 Main - Discussions / Questions - 7 Replies
Hi I from turkey.I don't speak germeny. Selam arkadaşlar ben turk vatandaşlarımızdan birşey rica edecegim denenmiş ve çalısan en son sürüm autopot varsa bana düzgü bir şekilde anlatıp programı bana verirse sevinirim tşk. Not:Yanlış yere konu açmışsam özzür. ( I sorry. )
Good News To all Brigadier General-General of the Army
11/23/2009 - Soldier Front - 2 Replies
if you want to view your EXP if ur Brigadier General to General of the Army click this !! ?SF?Special Force to view ur EXP!!!!



All times are GMT +1. The time now is 01:22.


Powered by vBulletin®
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.
SEO by vBSEO ©2011, Crawlability, Inc.

Support | Contact Us | FAQ | Advertising | Privacy Policy | Abuse
Copyright ©2018 elitepvpers All Rights Reserved.